Vulnerability found in the All in One SEO Pack WordPress Plugin

The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin.

It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it.

Are You At Risk?

If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk. If you have open registration, you are at risk. You have to update the plugin as soon as possible.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

His passion for code and IT security has no limit. You'll generally find him competing in capture-the flag security competitions or searching for security vulnerabilities in widespread products for the fun of it. He's also a great fan of heavy-metal music. Follow him on Twitter at @mars0h.

Mark

any PoC ?

perezbox

No.

Mark

Give me PoC pls. I want to hack sites.

http://www.cynicologist.com/ Orun Bhuiyan

Tony can’t say it, so I will:

don’t be an asshole, Mark.

https://triop.se Jonas Lejon

Nice work. Keep up te good work Marc

http://blog.ramboruiz.com/ Rambo Ruiz

How does one upgrade when there’s no upgrade button available anywhere ?

http://clintbutler.net Clint A. Butler

Sign into your WordPress admin panel, select plugins. Chose the All in One plugin. Go to the dropdown at the top or bottom of the page and pick “update” If there is an update in the repository the system will check and update it for you.

To be safe make sure you go to the plugin details page to ensure you have the most current version installed.

http://blog.ramboruiz.com/ Rambo Ruiz

Thanks Clint I just did that

perezbox

If you still don’t see it I would recommend engaging with the developer directly.

Thanks

http://blog.ramboruiz.com/ Rambo Ruiz

I’ve already got it upgraded Perezbox. Thanks

Will

Clint, your post was the best at telling us how to do the update… so Thanks a ton for your help!

Martyn Davis

Do you know that when your site is viewed using small screens (ie phones), that your “SiteCheck Website Scanner” dialog consumes half the reading space. Maybe you should disable it when the size of the dialog takes up more than 10-15% of the available reading space.

perezbox

Yeah sorry about that, it should be fixed now.

http://www.gefundenwerden.at/ gefundenwerden

wow, i make a update. thank you for the info

http://www.cynicologist.com/ Orun Bhuiyan

What’s unfortunate about this is that All-in-one SEO echoes a generator tag that indicates that the plugin is present and specifies the version number.

I always found it really frustrating that WordPress SEO plugins do this, because when they’re found to have vulnerabilities, it’s that much easier to scrape a list of sites to target.

Quinn

A client of mine received this email but we do not have this plugin installed. We have WordPress SEO by Yoast. Should I still take any action? Our WP and plugins are fully updated.

perezbox

They most likely received it as an informative email, if they don’t have it installed then there isn’t anything to address.

Excuse but this report is almost a hoax. Why Securi doesn’t show us the plugin version that is vulnerable?

Dave Lawton

“this bug can be used with another vulnerability” is it possible to give any more info about what this “other vulnerability” is without revealing too much about the exploit? What I’m trying to determine is if a site does not have open registration and users are not logging in (as mentioned in the article), is it still vulnerable?

Dave Lawton

Is the “other vulnerability” just another vulnerability in older versions of the plugin? Also are these vulnerabilities present in very old versions of the plugin? What versions are affected?

Buxykay

I think one of my sites has fallen prey to an attack because my hosting company informed me of a script overloading their servers. I have updated and everything seems to work fine.

Thanks for this. Great work. I appreciate your efforts and care about people who use your plugin. I count this as a great sense of responsibility from your side.

http://Dharmamitra.Org Dharmamitra Jeff Stfeani

Sharing Three Comments:
1) YOU ROCK, HARD-CORE…THANK YOU! Shortly after you posted this Report, on Monday,5/31/2014, I was notified by an automated Alert, responded accordingly––“Battened Down the Hatches”…immediately securing all of my Clients’ WordPress sites, and, (with the aid of Social Media Mgt. Tool), Shared a Link to this URL, (with Title + Description + appropriate #hashtags) across ≈ 20 various Digital Media+Platforms…of which, many were then passed, much further into the Web.

2) Granted, semantics are relative, so, when you state that: ‘While it does not *necessarily* look that bad…’ in
reference to potential negative SERPs impact, the wisely placed “necessarily” is such a powerful qualifier that it, essentially, negates the remainder of the sentence. However, that’s not an accurate assessment of the full implications of adding and/or modifying the most significant HTML Elements, which can, ultimately, affect *so much more* than a particular Post/URL SERPs.

It’s beyond the scope of this comment to explain the full implications, but my point is that the All-in-1-SEO-Pack vulnerability equates to much more than potential SERPs impact, it open the door for full out *Negative-SEO Attacks!*Suffice to say; I don’t agree with your sentiment.

3) Lastly, I just want add that, I received an email from GoDaddy today, referencing this/your Blog Post, and advising that a survey has shown that I have the All-in-1-SEO-Pack installed, and that I should remedy this, ASAP. Thank goodness I received a notification regarding your Post, responded, and shared this info within a few hours of this Posting…and do not rely on the cracker jack response of the GoDaddy “Hosting Security Admin Team!”